[Freeipa-users] Closing off some ports for FreeIPA

[Jeremy Utley]

Hello all on the list.

First off, if this is documented somewhere I'm not aware of, I apologize
for the noise.  I've spent a couple of hours google searching google
without success, so pointers to any documentation I've missed would be
greatly appreciated!

We're in the process of setting up a FreeIPA system within our ultra-secure
PCI zone.  It's currently working well, and we are very happy with it.
However, we know that come our next audit, we're going to get hit on a few
things, so I would like to ask about blocking off some additional ports
(specifically 80, 389, 53).  53 I think will be safe to block off, as all
our clients actually use a dedicated caching DNS system with unbound, which
has been configured to forward all queries for the zone "ipa.domain.com" to
the FreeIPA servers, so we should be able to block 53 from everywhere but
the unbound servers without breakage.

However, port 80 and 389 I'm not so sure about.  I know most things that
hit port 80 get redirected to 443, and 389 provides STARTTLS functionality,
but in theory, these ports can provide unencrypted communications, and
therefore our auditors will ask that they be closed off.  However, in my
research so far, I have not been able to find out what the ramifications
would be to blocking these ports for the IPA system itself (would it fall
back to using SSL on 636? Would API calls fail if port 80 is closed?).

I also know that the ipa-client-install script will check to ensure these
ports are open - temporarily opening them for the client setup will not be
an issue, if we can close it back down after that.  We do not add systems
within this zone very often, so this is a minor issue.

Thanks for any advice you can give!

Jeremy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160401/0bf8fdbc/attachment.htm>